Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20130

xredirect parameter can be used for phishing

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Major
    • None
    • 13.10.6
    • None
    • None
    • Unknown

    Description

      The xredirect parameter is not verified and can be used to trick users to trust links to unsafe sites.

      For example a link https://xwiki-instance.com/bin/login/XWiki/XWikiLogin?xredirect=//www.badboy.com/&vm=commentsinline.vm&loginLink=1
      will show the correct XWiki login screen and after successful login the user will be redirected to the bad site.

      This could be used in phishing mails to trick users into trusting a site.

      Ideally XWiki would check url.trustedDomains from xwiki.properties for valid redirection targets.

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-19994 Redirect parameter xredirect in login/logout can link to external site

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              tmortagne Thomas Mortagne
              Simpel Simpel
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: